Disable WAN Interface on CARP Backup

10-wancarp

#!/usr/local/bin/php
<?php

require_once("config.inc");
require_once("interfaces.inc");
require_once("util.inc");

$subsystem = !empty($argv[1]) ? $argv[1] : '';
$type = !empty($argv[2]) ? $argv[2] : '';

if ($type != 'MASTER' && $type != 'BACKUP') {
    log_error("Carp '$type' event unknown from source '{$subsystem}'");
    exit(1);
}

if (!strstr($subsystem, '@')) {
    log_error("Carp '$type' event triggered from wrong source '{$subsystem}'");
    exit(1);
}

$ifkey = 'wan';

if ($type === "MASTER") {
    log_error("enable interface '$ifkey' due CARP event '$type'");
    $config['interfaces'][$ifkey]['enable'] = '1';
    write_config("enable interface '$ifkey' due CARP event '$type'", false);
    interface_configure(false, $ifkey, false, false);
} else {
    log_error("disable interface '$ifkey' due CARP event '$type'");
    unset($config['interfaces'][$ifkey]['enable']);
    write_config("disable interface '$ifkey' due CARP event '$type'", false);
    interface_configure(false, $ifkey, false, false);
}

Thank you @spali for this script, simple and efficient without frills.

As of totay with OPNsense 24.7.4, the script works perfectly except for the fact that once the backup is promoted master and then demoted to backup again, the default route (System -> Routes -> Status) is not set back to the LAN VIP as it was set initially as stated by @skl283.

That problem limits the backup's ability to have internet access while being backup.

To fix that situation, change/add these:

1. Following $ifkey = 'wan' add $lan_vip = 'YOUR_LAN_VIP' and set to your correct LAN_VIP / LAN CARP VIP
2. Following interface_configure in the BACKUP section add both...
   exec('/sbin/route del default >&1', $ifc, $ret);
   exec('/sbin/route add default ' . $lan_vip . ' >&1', $ifc, $ret);
3. At the end of the script, add the missing "?>"
4. Add the suggestions provided by @edward-scroop for the previous post to mine. (!= INIT and else BACKUP)

NOTE : The 4th step in spali's instructions is not optional anymore. A WAN-to-LAN Gateway is required.

This is it :)

Hi @raegedoc are you sure that you you use this gist?
There ist only an else case line 28 to 33 - which should used, if the system is in the Backup case... or are you using this gist? There is explicit an Backup Section.

Perhaps you could post or do a fork of this Script?

I’m throwing this here with little knowledge otherwise with my abandoned script, but a challenge I had to overcome dealt with multiple interfaces being decided as “failed” such that the backup connection would take over. May not be relevant now with the recent updates but throwing it out there - https://gist.github.com/willjasen/6ae0f47bca36ced2bd52b2fefc2bc21e

Hi @raegedoc are you sure that you you use this gist? There ist only an else case line 28 to 33 - which should used, if the system is in the Backup case... or are you using this gist? There is explicit an Backup Section.

Perhaps you could post or do a fork of this Script?

Hi @skl283, I tried them all from 2 weeks ago and none was giving me back internet access on my backup node after being promoted primary and demoted back to backup again. Only these small adds would fix it all while keeping the script very light and clean.

I forgot to mention I incorporated the suggestions @edward-scroop did in the post previous to mine : https://gist.github.com/spali/2da4f23e488219504b2ada12ac59a7dc?permalink_comment_id=5185710#gistcomment-5185710

Here is a link to my gist : https://gist.github.com/raegedoc/093ba815b6b3f2bc2ff327f48c60f3a9

Open to your ideas :)

@raegedoc do you have the gateway monitoring setup for the WAN gateway? Because I have it set up and when it switches back to master, it sets the priority of the backup WAN gateway to defunct which removes it from the route selection.

@edward-scroop, Yes I have gateway monitoring set for my WAN gateway of both primary and backup. The problem is not with my primary node switching back to master but my backup node switching back to being a backup. This way, backup has internet access for receiving it OPNsense updates and news Annoncements

For clarity, here is my primary configuration for the WAN link when primary is primary and backup is backup :

...and for my backup configuration. Blue arrow point to the fields where MY_CARP_LAN_VIP is specifed.

From your screenshots, the monitor ip is empty and the disable gateway monitoring is checked. That would mean gateway monitoring is disabled.

I think what is happening is as your WAN gateway has a higher priority than the LAN gateway and with no gateway monitoring, the backup has no way to tell the WAN gateway is down and it then doesn't have a reason to swap to the LAN gateway.

To fix it either set the LAN gateway to a priority higher than the WAN gateway, or set a monitor ip of 1.1.1.1 and uncheck the disable gateway monitoring box.

Hi, WAN Gateway has priority 254 and WAN-to-LAN has 255 (so WAN > WAN-to-LAN).

Anyway, I tried your trick and worse, my backup has no internet access when backup. Default route has shown still point default gateway to the WAN IP that connects to nothing when backup.

Interfaces: Diagnostics: Ping to 1.1.1.1 has 100% loss :(

Since fixing the default gateway (with route delete followed by add CARP_LAN_IP) while being backup of a functional primary node, it might have been the missing trick with my setup that is pretty standard when theISP provided only a public DHCP WAN IP.

I'll keep the setup I shared earlier. Thank's for sharing edward-scroop.

The LAN gateway needs a priority higher than 254. The smaller the value, the higher the priority.

The LAN gateway needs a priority higher than 254. The smaller the value, the higher the priority.

It's the case, LAN has priority 255

I meant, the LAN needs a priority of 1-253.